b'  DEPARTMENT OF HOMELAND SECURITY\n\n      Office of Inspector General\n\n       Improvements Needed in Security\n        Management of the United States\n      Citizenship and Immigration Services\xe2\x80\x99\n          CLAIMS 3 Mainframe Financial\n                   Application\n\n\n\n\n            Office of Information Technology\n\nOIG-05-28                                      July 2005\n\x0c                                                                         Office of Inspector General\n\n                                                                         U.S. Department of Homeland Security\n                                                                         Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared by the OIG as\npart of its DHS oversight responsibilities to promote economy, effectiveness, and efficiency within\nthe department.\n\nThis report assesses access controls in place over DHS\xe2\x80\x99 financial systems. It is based on interviews\nwith employees and officials of relevant agencies and institutions, direct observations, and a review\nof applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. It is our hope that this report\nwill result in more effective, efficient, and economical operations. We express my appreciation to all\nof those who contributed to the preparation of this report.\n\n\n\n\n                                              Richard L. Skinner\n                                              Acting Inspector General\n\x0cTable of Contents\n\n\n  Executive Summary .........................................................................................................................1\n\n  Background .................................................................................................................................... 3\n\n  Results of Audit ............................................................................................................................. 5\n\n           CLAIMS 3 Mainframe Security Responsibilities................................................................ 5\n\n           Security Monitoring of CLAIMS 3 Mainframe Application............................................... 6\n\n           Inappropriate CLAIMS 3 Mainframe Remote Access ........................................................ 8\n\n           Weaknesses In CLAIMS 3 Mainframe Password Administration ..................................... 9\n\n           Lack of Preventive Maintenance and System Upgrades ................................................... 11\n\n\nAppendices\n  Appendix A:            Purpose, Scope, and Methodology ..................................................................... 13\n  Appendix B:            Management\xe2\x80\x99s Response......................................................................................14\n  Appendix C:            Major Contributors To This Report.................................................................... 19\n  Appendix D:            Report Distribution............................................................................................. 20\n\n\n\n\n                              Improvements Needed in Security Management of the United States Citizenship\n                              and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\x0cTable of Contents\n\nAbbreviations\n  CIO              Chief Information Officer\n  CLAIMS 3         Computer Linked Application Information Management System 3\n  DHS              Department of Homeland Security\n  DOJ              Department of Justice\n  EMerge2          Electronically Managing Enterprise Resources for Government\n                   Effectiveness and Efficiency\n  FY               Fiscal Year\n  ICE              Immigration and Customs Enforcement\n  INS              Immigration and Naturalization Service\n  ISSO             Information Systems Security Officer\n  IT               Information Technology\n  LAN              Local Area Network\n  MD               Management Directive\n  NIST             National Institute of Standards and Technology\n  OIG              Office of Inspector General\n  OMB              Office of Management and Budget\n  USCIS            United States Citizenship and Immigration Services\n\n\n\n\n                Improvements Needed in Security Management of the United States Citizenship\n                and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\n\nExecutive Summary\n\n                The United States Citizenship and Immigration Services (USCIS) bureau\n                processes all applications and petitions for visas and for various immigrant\n                benefits (e.g. change of status, employment authorization, extension of stay,\n                etc). USCIS utilizes the Computer Linked Application Information\n                Management System 3 (CLAIMS 3) mainframe to track pending customs and\n                immigrations applications. This system also serves as the central repository\n                for entering data into the USCIS\xe2\x80\x99 CLAIMS 3 Local Area Network (LAN). A\n                strong set of logical and physical access controls over the CLAIMS 3\n                mainframe is necessary to prevent the risk of unauthorized system access that\n                could result in potential disclosure of or malicious acts to this sensitive\n                information. Our review focused on the access controls that USCIS has\n                implemented to protect the CLAIMS 3 mainframe information.\n\n                We evaluated whether there is adequate management in place over the\n                security of USCIS\xe2\x80\x99 CLAIMS 3 mainframe application. We performed our\n                work at locations in Washington, DC; Rockville, Maryland; and at the\n                Department of Justice\xe2\x80\x99s (DOJ) Data Center in Dallas, Texas. See Appendix A\n                for a discussion of our purpose, scope, and methodology.\n\n                Access controls in place over the CLAIMS 3 mainframe are not sufficient to\n                prevent unauthorized access to or loss of the system\xe2\x80\x99s immigration and\n                customs information. Our review disclosed that:\n\n                    \xe2\x80\xa2    USCIS does not have a security administrator in place to manage the\n                         day-to-day access levels and system parameters for this application,\n\n                    \xe2\x80\xa2    USCIS personnel do not review and monitor user access levels to\n                         ensure that only authorized individuals have access to this financial\n                         system,\n\n                    \xe2\x80\xa2    Passwords are not administered in accordance with DHS Security\n                         policy,\n\n\n                 Improvements Needed in Security Management of the United States Citizenship\n                 and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                    Page1\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\n\n                              \xe2\x80\xa2    An individual employed at the data center where this mainframe\n                                   resides can remotely access the CLAIMS 3 mainframe application\n                                   from his home personal computer, and\n\n                              \xe2\x80\xa2    Preventive maintenance and system upgrades are no longer being\n                                   performed on this application.\n\n                          We are recommending that the USCIS Chief Information Officer (CIO):\n\n                               \xe2\x80\xa2    Designate a USCIS CLAIMS 3 security administrator,\n\n                               \xe2\x80\xa2    Develop and implement a set of policies and procedures for a\n                                    coordinated effort of administering and managing the CLAIMS 3\n                                    mainframe security process between USCIS and ICE,\n\n                               \xe2\x80\xa2    Establish procedures for a USCIS security administrator to review and\n                                    monitor access controls security reports on a daily basis,\n\n                               \xe2\x80\xa2    Establish procedures for a USCIS security administrator to re-certify\n                                    user access privileges to the CLAIMS 3 mainframe at least on an\n                                    annual basis,\n\n                               \xe2\x80\xa2    Enforce DHS\xe2\x80\x99 remote access policy requiring that DHS systems be\n                                    accessed only through DHS approved hardware and software,\n\n                               \xe2\x80\xa2    Strengthen the CLAIMS 3 mainframe password configurations in\n                                    accordance with DHS\xe2\x80\x99 Security Handbook1, and\n\n                               \xe2\x80\xa2    Re-establish preventive maintenance and system upgrades for the\n                                    CLAIMS 3 mainframe.\n\n\n\n\n11\n     IT Security Program Handbook (Management Directive 4300A) version 2, dated December 2003\n\n\n                           Improvements Needed in Security Management of the United States Citizenship\n                           and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                              Page2\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\nBackground\n                CLAIMS 3 is a financial application that supports processing of USCIS\n                applications and petitions for various immigrant benefits (e.g. change of\n                status, employment authorization, extension of stay, etc). This mainframe\n                application was developed to meet the information needs of personnel at\n                legacy DOJ\xe2\x80\x99s Immigration and Naturalization Service (INS) headquarters,\n                service processing centers, and district offices. At the service processing\n                centers the CLAIMS 3 LAN, located in Rockville, Maryland, has replaced\n                much of this routine processing. The CLAIMS 3 mainframe application also\n                serves as the repository for all data processed in the CLAIMS 3 LAN system\n                through daily batch runs. The USCIS mainframe is housed in DOJ\xe2\x80\x99s Dallas\n                Data Center while the application services are provided by DOJ at the\n                Rockville Data Center. DHS\xe2\x80\x99 Immigration and Customs Enforcement (ICE)\n                is responsible for maintaining the systems access controls software and\n                establishing user access privileges.\n\n                The CLAIMS 3 mainframe application has two primary objectives:\n\n                \xe2\x80\xa2   To serve effectively the operational and management needs of USCIS\n                    personnel accepting and adjudicating applications and petitions for\n                    benefits in district offices, service processing centers and headquarters\n                    offices, and\n\n                \xe2\x80\xa2   To provide the capability to extract data on immigration and customs\n                    benefits and to produce aggregate statistical reports.\n\n                CLAIMS 3 has two primary components: (1) online data entry, query, and\n                adjudication system and (2) a system of batch runs that extract and report data\n                and provide interfaces with other systems. Data for the CLAIMS 3 system is\n                entered at the service processing centers.\n\n                 A strong set of access controls over the CLAIMS 3 mainframe application is\n                important to ensure that individuals outside of USCIS do not gain\n                unauthorized access to this system\xe2\x80\x99s sensitive immigration and customs\n\n\n\n                 Improvements Needed in Security Management of the United States Citizenship\n                 and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                    Page3\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n                         information. OMB Circular A-1302 requires government agencies to provide\n                         adequate security that is \xe2\x80\x9ccommensurate with the risk and magnitude of the\n                         harm resulting from the loss, misuse, or unauthorized access to or\n                         modification of information. This includes assuring that systems and\n                         applications operate effectively and provide appropriate confidentiality,\n                         integrity, and availability, through the use of cost-effective management,\n                         personnel, operational, and technical controls.\xe2\x80\x9d In addition, agencies should\n                         also \xe2\x80\x9cassign responsibility for security in each system to an individual\n                         knowledgeable in the information technology used in the system and in\n                         providing security for such technology.\xe2\x80\x9d\n\n                         A strong set of access controls over the CLAIMS 3 application is also\n                         important as DHS moves towards the consolidation and merger of its financial\n                         systems. DHS\xe2\x80\x99 Electronically Managing Enterprise Resources for\n                         Government Effectiveness and Efficiency (eMerge2) project will bring\n                         together the Department\xe2\x80\x99s legacy financial systems from 22 agencies. A pre-\n                         requisite to any merger of systems is to ensure that existing weaknesses in a\n                         system are not transferred over to the new system environment.\n\n                         Finally, DHS\xe2\x80\x99 FY 2004 financial statement audit3 disclosed over 35 access\n                         control related issues from the review of financial systems at major DHS\n                         components. Some of these issues were in existence before the establishment\n                         of DHS and were transferred to DHS from legacy agencies like DOJ. These\n                         issues along with the other information technology issues noted in the audit\n                         report contributed to the independent auditor\xe2\x80\x99s declaration of a material\n                         weakness for DHS\xe2\x80\x99 IT environment.\n\n\n\n\n2\n  Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources Appendix\nIII, Security of Federal Automated Information Resources.\n3\n  Independent Auditors\xe2\x80\x99 Report on DHS\xe2\x80\x99 FY 2004 Financial Statements, Office of Audits, Office of Inspector General,\nDepartment of Homeland Security, OIG-05-05, December 2004.\n\n\n                          Improvements Needed in Security Management of the United States Citizenship\n                          and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                             Page4\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\nResults of Audit\n\n                           CLAIMS 3 Mainframe Security Responsibilities\n                           USCIS does not control or manage security over its CLAIMS 3 mainframe\n                           application. Although the USCIS CIO relies on ICE security administrators to\n                           monitor and administer the day-to-day security responsibilities of the\n                           CLAIMS 3 mainframe, this office does not have access to security reports and\n                           user access lists to ensure that CLAIMS 3 mainframe security is being\n                           properly administered. When the CLAIMS 3 mainframe application,\n                           containing immigration and customs information, was transferred from DOJ\n                           to DHS\xe2\x80\x99 USCIS bureau in March 2003, responsibility for monitoring and\n                           reviewing security for this system remained with DHS\xe2\x80\x99 ICE bureau. As a\n                           result, USCIS, the owners of the CLAIMS 3 mainframe application, must rely\n                           on ICE to monitor system security issues and user access permissions on its\n                           behalf. Further, DHS\xe2\x80\x99 IT Security Handbook4 requires system owners to re-\n                           certify user access on an annual basis but this process cannot occur if the\n                           system owners and users do not have access to the tools necessary to perform\n                           the monitoring. This approach to managing security of the CLAIMS 3\n                           mainframe leaves the control environment surrounding sensitive immigration\n                           and customs information in the hands of non-system users who do not have a\n                           need to know or need to access this information.\n\n                           Recommendation:\n\n                           We recommend that the USCIS CIO:\n\n                               1. Designate a USCIS CLAIMS 3 security administrator.\n\n                           USCIS CIO Comments and OIG Analysis\n\n                           The USCIS CIO agreed with our recommendation and stated that her office is\n                           currently in the process of implementing revised procedures and controls,\n                           defining and re-defining the responsibilities of the CLAIMS 3 security\n4\n    IT Security Program Handbook (MD 4300A), Attachment J, Section 3.0, version 2, dated December 2003.\n\n\n                            Improvements Needed in Security Management of the United States Citizenship\n                            and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                               Page5\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n                           administrator, and conducting the formal appointment process for this\n                           position. We accept USCIS\xe2\x80\x99 response and consider this recommendation\n                           resolved.\n\n\n                           Security Monitoring of CLAIMS 3 Mainframe Application\n                           USCIS security administrators do not review and monitor CLAIMS 3\n                           mainframe security reports. This situation is occurring, in part, because\n                           responsibility for security remained with ICE security administrators\n                           following the creation of DHS. As a result, USCIS does not have the ability\n                           to generate access controls security reports for its CLAIMS 3 mainframe\n                           application because only ICE personnel have security administrator privileges\n                           to this system. Further, ICE security administrators do not provide copies of\n                           these CLAIMS 3 Mainframe security reports to USCIS security\n                           administrators.\n\n                           USCIS cannot be assured that only authorized users have access to its system\n                           and that access privileges are proper because ICE does not provide security\n                           reports or any other form of confirmation to USCIS to ensure that CLAIMS 3\n                           mainframe security is being reviewed on a daily basis. User access privileges\n                           should be monitored on a daily basis by system administrators to ensure that\n                           user access levels are current and are necessary for users to perform their\n                           current job responsibilities. When user access levels are not monitored on a\n                           regular basis the potential exists that inactive accounts may remain on the\n                           system over time increasing the possibility that unauthorized users may access\n                           these accounts and potentially modify sensitive information. A review of\n                           access control security reports helps to ensure that inactive accounts are\n                           removed in a timely manner and that only authorized USCIS users have\n                           access to CLAIMS 3 information.\n\n                           DHS\xe2\x80\x99 IT Security Handbook5 requires system owners to re-certify user access\n                           privileges on an annual basis. Because users need to access information\n                           changes over time, supervisors need to review access lists to ensure that they\n\n5\n    IT Security Program Handbook (MD 4300), Attachment J, Section 3.0, version 2, dated December 2003.\n\n\n                            Improvements Needed in Security Management of the United States Citizenship\n                            and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                               Page6\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n                are current and up-to-date. If user accounts are not re-validated on a regular\n                basis there is the potential that users may be granted access beyond their\n                current needs, thus elevating the risk that system data could be compromised,\n                and inappropriate actions (e.g., unauthorized access to funds control,\n                processing payments, inventory management) could be made.\n\n                As a part of our review to ensure that adequate access security controls are in\n                place over the CLAIMS 3 mainframe we requested copies of CLAIMS 3\n                mainframe security reports so that we could validate user access privileges\n                and access controls software parameters. However, ICE security personnel\n                were unable to provide them to us. In addition, through the interview process\n                with both USCIS and ICE security personnel we also confirmed that there is\n                no process in place to ensure that accounts are disabled when users have three\n                unsuccessful logon. When user accounts are not locked out of the system\n                after several unsuccessful password attempts, the system becomes more\n                susceptible to successful hacking attempts. Guidance from the National\n                Institute of Standards and Technology (NIST) indicates that organizations\n                should limit the number of logon attempts to ensure that user passwords are\n                changed frequently.\n\n                Recommendations:\n\n                We recommend that the USCIS CIO:\n\n                    2. Develop and implement a set of policies and procedures for a\n                    coordinated effort of administering and managing the CLAIMS 3\n                    mainframe security process between USCIS and ICE.\n\n                    3. Establish procedures for a USCIS security administrator to review and\n                    monitor access controls security reports on a daily basis.\n\n                    4. Establish procedures for a USCIS security administrator to re-certify\n                    user access privileges to the CLAIMS 3 mainframe at least on an annual\n                    basis.\n\n\n\n\n                 Improvements Needed in Security Management of the United States Citizenship\n                 and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                    Page7\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n                           USCIS CIO Comments and OIG Analysis\n\n                           The USCIS CIO agreed with our recommendations. According to the CIO,\n                           policies and procedures for administering and managing the CLAIMS 3\n                           mainframe security process including procedures for the review and\n                           monitoring of access controls security reports will be in place by April 30,\n                           2006. Procedures for a USCIS security administrator to re-certify user access\n                           privileges for the CLAIMS 3 mainframe will be in place by October 31, 2005.\n                           We accept USCIS\xe2\x80\x99 response and consider these recommendations resolved.\n\n\n                          Inappropriate CLAIMS 3 Mainframe Remote Access\n                           DOJ personnel at the Dallas data center have inappropriate remote access\n                           privileges to the CLAIMS 3 mainframe. The CLAIMS 3 mainframe system\n                           resides in DOJ\xe2\x80\x99s Dallas data center. During our visit to Dallas we were\n                           informed that a DOJ employee has the ability to access the CLAIMS 3\n                           mainframe from his home personal computer. According to DHS\xe2\x80\x99 IT Security\n                           Handbook6 no dial-in access will be used to access DHS applications or\n                           general support systems, unless authorized in writing by the employee\xe2\x80\x99s\n                           Information Systems Security Officer (ISSO). In addition, DHS\xe2\x80\x99 IT Security\n                           Handbook7 requires that a work from home agreement should be in place that\n                           identifies what government equipment and supplies will be needed by the\n                           employee at home, and how the equipment and supplies will be transferred\n                           and accounted for. Neither ICE nor USCIS provided us with any agreements\n                           authorizing this employee to remotely access the CLAIMS 3 mainframe.\n                           These types of access privileges increase the risk of unauthorized access to\n                           USCIS\xe2\x80\x99 CLAIMS 3 mainframe system and could lead to unauthorized\n                           modifications to the system.\n\n                           Recommendation:\n\n                           We recommend that the USCIS CIO:\n\n6\n    IT Security Program Handbook (MD 4300), Attachment D, Section 4.2, version 2, dated December 2003.\n7\n    IT Security Program Handbook (MD 4300), Attachment D, Section 4.1, version 2, dated December 2003.\n\n\n                            Improvements Needed in Security Management of the United States Citizenship\n                            and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                               Page8\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\n                    5. Enforce DHS\xe2\x80\x99 remote access policy requiring that DHS systems be\n                    accessed only through DHS approved hardware and software.\n\n\n                USCIS CIO Comments and OIG Analysis\n\n                The USCIS CIO agrees with this recommendation. USCIS recognizes that the\n                laptops used by DOJ personnel for remote access are inconsistent with DHS\n                remote access requirements. When DHS renews the Memorandum of\n                Understanding with DOJ, DHS security requirements will be incorporated into\n                the documentation. USCIS anticipates that these negotiations will be\n                complete by April 26, 2006. We accept USCIS\xe2\x80\x99 response and consider this\n                recommendation resolved.\n\n\n                Weaknesses in CLAIMS 3 Mainframe Application Password\n                Administration\n                USCIS\xe2\x80\x99 CLAIMS 3 mainframe continues to have weaknesses in its password\n                configurations. Our follow up of prior year issues relating to password\n                configuration and administration for the CLAIMS 3 mainframe indicated that\n                weaknesses in passwords that were identified during the FY 2003 financial\n                statement audit continue to exist. Specifically:\n\n                \xe2\x80\xa2   Users are not required to select a new password upon initial access to the\n                    system.\n\n                \xe2\x80\xa2   Configuration of user passwords is not in agreement with DHS security\n                    policy. (Passwords are not required to be alpha numeric, at least 8\n                    characters in length, contain no dictionary words, be encrypted, and not be\n                    reusable in fewer than six iterations)\n\n                \xe2\x80\xa2   Privileged account passwords are not limited to a maximum lifetime of 30\n                    days\n\n\n\n                 Improvements Needed in Security Management of the United States Citizenship\n                 and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                    Page9\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\n                           \xe2\x80\xa2    Upon the expiration of user ids, the system does not inform users of the\n                                password formatting requirements for the creation or changing of a\n                                password.\n\n                           \xe2\x80\xa2    Users are not notified in advance before their passwords expire.\n\n                           The continued use of these weak password configurations does not comply\n                           with DHS\xe2\x80\x99 IT Security Handbook8 which requires components to enforce\n                           strong passwords for authentication to DHS IT Systems.\n\n                           Recommendation:\n\n                           We recommend that the USCIS CIO:\n\n                                6. Strengthen the CLAIMS 3 mainframe password configurations in\n                                accordance with DHS\xe2\x80\x99 IT Security Handbook.\n\n                           USCIS CIO Comments and OIG Analysis\n\n                           The USCIS CIO concurs in part with this recommendation. Although USCIS\n                           agrees that password configurations need to be upgraded, they do not agree\n                           that a substantial investment should be made in the CLAIMS 3 mainframe\n                           application since this system will be replaced during a multi-year IT\n                           Transformation Program. With this IT Transformation Program, the CLAIMS\n                           3 mainframe would be retired and replaced with new technology.\n\n                           We recognize that USCIS plans to retire the CLAIMS 3 mainframe\n                           application during the IT Transformation Program; however, no date has been\n                           set for this retirement. Until a date for the CLAIMS 3 mainframe retirement\n                           has been determined, USCIS needs to implement a strong password\n                           configuration for the CLAIMS 3 mainframe to ensure that adequate controls\n                           are in place to prevent unauthorized access to sensitive immigration\n                           information.\n\n\n8\n    IT Security Program Handbook (MD 4300), Attachment J, Sections 2.0 and 3.0, version 2, dated December 2003.\n\n\n                            Improvements Needed in Security Management of the United States Citizenship\n                            and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                              Page10\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\n                Lack of Preventive Maintenance and System Upgrades\n                Computer software systems require constant maintenance and upgrades to\n                stay current with changing technologies. Maintenance on computer systems\n                should be performed on a regular/scheduled basis to: update system license\n                information, maintain consistency across various systems, ensure that systems\n                are compatible and work is not being duplicated, monitor available system\n                resources, and to identify and repair \xe2\x80\x98bugs\xe2\x80\x99 or faults in software. According to\n                personnel at the data center where this mainframe resides, funding for the\n                preventive maintenance and system upgrades was discontinued because of the\n                pending DHS data center consolidation. This consolidation will bring\n                together DHS\xe2\x80\x99 data center computer hardware and software. Although several\n                sites have been considered for this consolidation, there is no set timeframe for\n                when the actual consolidation of equipment and resources will occur.\n                Guidance on Financial Management Systems requires that all documentation\n                associated with systems and software be continually updated to provide\n                sufficient detail to obtain a comprehensive knowledge and understanding of\n                an agency\xe2\x80\x99s operation.\n\n                Recommendation:\n\n                We recommend that the USCIS CIO:\n\n                    7. Re-establish preventive maintenance and system upgrades for the\n                    CLAIMS 3 mainframe.\n\n                USCIS CIO Comments and OIG Analysis\n\n                The USCIS CIO concurs in part with this recommendation. The CIO agrees\n                that maintenance and system upgrades are sound strategies; however, this\n                official does not believe there is a business case to continue additional\n                maintenance and system upgrades on a system that will be retired during the\n                multi-year USCIS IT Transformation Program.\n\n                We recognize that USCIS plans to retire and replace the CLAIMS 3\n                mainframe application during the IT Transformation Program; however, no\n\n\n                 Improvements Needed in Security Management of the United States Citizenship\n                 and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                   Page11\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n                date has been set for this retirement. Until a date for the CLAIMS 3\n                mainframe retirement has been determined, USCIS needs to continue\n                maintenance and system upgrades for this system in order to ensure that\n                immigration information is accurately processed.\n\n\n\n\n                 Improvements Needed in Security Management of the United States Citizenship\n                 and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                   Page12\n\x0c              Appendix A\n              Purpose, Scope, and Methodology\n\n\n\n\nPurpose, Scope, and Methodology\n              The overall objective of our audit was to determine whether there is adequate\n              management in place over the security of USCIS\xe2\x80\x99 CLAIMS 3 mainframe\n              application. The scope of our testing included the following:\n\n              \xe2\x80\xa2   Perform a physical security analysis of sites associated with the CLAIMS\n                  3 Mainframe application.\n              \xe2\x80\xa2   Provide update on security concerns identified during prior access controls\n                  audits at USCIS.\n              \xe2\x80\xa2   Review OS/390 mainframe operating system and subsystems used for the\n                  CLAIMS 3 application.\n              \xe2\x80\xa2   Review the parameters utilized by the access control software program,\n                  including user profiles and access privileges.\n\n              We conducted our audit between July 2004 and December 2004 under the\n              authority of the Inspector General Act of 1978, as amended, and according to\n              generally accepted government auditing standards. The fieldwork for our\n              audit was conducted at the following DHS locations:\n\n                  \xe2\x80\xa2   Bureau of Citizenship and Immigration Services (CIS)\n                            o Headquarters location\n                  \xe2\x80\xa2   Department of Justice (DOJ)\n                            o Dallas Data Center\n                            o Rockville Data Center\n\n\n              The principal OIG points of contact for the audit are Frank Deffer, Assistant\n              Inspector General for Information Technology Audits, (202) 254-4041; and\n              Roger Dressler, Director, Information Systems and Architecture, (202) 254-\n              5441. Major OIG contributors to the audit are identified in Appendix C.\n\n\n\n\n              Improvements Needed in Security Management of the United States Citizenship\n              and Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                                Page13\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\nImprovements Needed in Security Management of the United States Citizenship\nand Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                  Page14\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\nImprovements Needed in Security Management of the United States Citizenship\nand Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                  Page15\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\nImprovements Needed in Security Management of the United States Citizenship\nand Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                  Page16\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\nImprovements Needed in Security Management of the United States Citizenship\nand Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                  Page17\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\nImprovements Needed in Security Management of the United States Citizenship\nand Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                  Page18\n\x0cAppendix C\nMajor Contributors To This Report\n\n\n\n\nOffice of Information Technology\nInformation Systems and Architecture Division\n\nFrank Deffer, AIG\nRoger Dressler, Director\nSharon Huiswoud, IT Audit Manager\nAnthony Nicholson, IT Auditor\nSharell Matthews, Referencer\n\n\nInformation Systems and Architecture Division\n\nJim Lantzy, Director\nLane Melton, Senior Security Engineer\nKaryn Higa, Security Engineer\n\n\n\n\nImprovements Needed in Security Management of the United States Citizenship\nand Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                    Page19\n\x0cAppendix D\nReport Distribution\n\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nActing Director, USCIS\nChief of Staff\nGeneral Counsel\nExecutive Secretariat\nDHS Chief Information Officer\nDHS Audit Liaison\nDHS Public Affairs\nChief Information Officer Audit Liaison\nUSCIS Chief Information Officer\nUSCIS Liaison\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nImprovements Needed in Security Management of the United States Citizenship\nand Immigration Services\xe2\x80\x99 CLAIMS 3 Mainframe Financial Application\n\n                                  Page20\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to Department of\nHomeland Security, Washington, DC 20528, Attn: Office of Inspector\nGeneral, Investigations Division \xe2\x80\x93 Hotline. The OIG seeks to protect the\nidentity of each writer and caller.\n\x0c'